Skip to content

Restrict EndpointRequest links to the specified HTTP method#50095

Open
dlwldnjs1009 wants to merge 1 commit intospring-projects:3.5.xfrom
dlwldnjs1009:fix-endpointrequest-links-httpmethod
Open

Restrict EndpointRequest links to the specified HTTP method#50095
dlwldnjs1009 wants to merge 1 commit intospring-projects:3.5.xfrom
dlwldnjs1009:fix-endpointrequest-links-httpmethod

Conversation

@dlwldnjs1009
Copy link
Copy Markdown
Contributor

Summary

  • EndpointRequest.toAnyEndpoint().withHttpMethod(POST) restricted
    endpoint paths to POST, but the links path (/actuator and
    /actuator/) still matched any HTTP method.
  • This follows up on HTTP method is lost when configuring excludes in EndpointRequest #49885, which preserved HttpMethod through
    exclusion chaining but did not apply it to the links path itself.

Test plan

  • Strengthened toAnyEndpointWithHttpMethodShouldRespectRequestMethod
    in both servlet and reactive tests to verify that the links path
    also respects the configured HTTP method

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 17, 2026
@wilkinsona
Copy link
Copy Markdown
Member

Thanks, @dlwldnjs1009. The links endpoint only supports GET requests but this certainly doesn't do any harm.

@wilkinsona wilkinsona added type: task A general task and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 17, 2026
@wilkinsona wilkinsona added this to the 3.5.x milestone Apr 17, 2026
@dlwldnjs1009
Copy link
Copy Markdown
Contributor Author

Thanks, @dlwldnjs1009. The links endpoint only supports GET requests but this certainly doesn't do any harm.

Thanks for the clarification.

@wilkinsona wilkinsona self-assigned this Apr 17, 2026
EndpointRequest.toAnyEndpoint().withHttpMethod(...) restricted
endpoint paths but still allowed any HTTP method for the links
path, yet the mappings for the links path are only registered
for GET requests.

Restrict the links path using the configured HttpMethod in both
servlet and reactive matchers.

Signed-off-by: Lee JiWon <dlwldnjs1009@gmail.com>

See spring-projectsgh-50095
@wilkinsona wilkinsona changed the base branch from main to 3.5.x April 17, 2026 13:22
@wilkinsona wilkinsona force-pushed the fix-endpointrequest-links-httpmethod branch from 097cde1 to 24f6214 Compare April 17, 2026 13:22
@wilkinsona
Copy link
Copy Markdown
Member

With the proposed change, you can configure the HTTP method for links when using toAnyEndpoint() but not when using toLinks(). That doesn't feel quite right. I'm wondering if we should just hardcode GET and document that's what happens. I'll discuss it with the team.

@wilkinsona wilkinsona added the for: team-meeting An issue we'd like to discuss as a team to make progress label Apr 17, 2026
@dlwldnjs1009
Copy link
Copy Markdown
Contributor Author

dlwldnjs1009 commented Apr 17, 2026

Thanks for the clarification. That makes sense. I'm happy to revise the PR to take that approach.

nikitanagar08 added a commit to nikitanagar08/spring-boot that referenced this pull request Apr 19, 2026
Fixes spring-projectsgh-50095

EndpointRequest.toAnyEndpoint().withHttpMethod() now applies the
configured HTTP method to the links path in addition to endpoint paths.

Previously, calling toAnyEndpoint().withHttpMethod(POST) restricted
endpoint paths to POST but the links path (/actuator and /actuator/)
still matched any HTTP method.

Changes:
- Updated getLinksMatchers() to accept and use httpMethod parameter
- Modified LinksServerWebExchangeMatcher to accept httpMethod in constructor
- Strengthened tests to verify links path respects configured HTTP method
- Both servlet and reactive implementations updated

The toLinks() matcher continues to accept any HTTP method to maintain
backward compatibility.
@nikitanagar08

This comment was marked as resolved.

@wilkinsona

This comment was marked as resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

for: team-meeting An issue we'd like to discuss as a team to make progress type: task A general task

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants